IP targeting: IP is an Internet protocol that has been used as a location targeting mechanism and used for cross-device analytics almost since the birth of Internet advertising.
But using IP has always been risky from a privacy perspective – and now Apple plans to get rid of IP addresses for Safari users and hide them by default.
Apple will automatically mask IP addresses in its browser with Intelligent Tracking Prevention, and people who subscribe to Apple’s new iCloud Plus service will be able to turn on double security to confuse IP addresses to determine the end IP with a feature called Private Relay.
Apple will start rerouting Web traffic through two separate servers to hide the user’s IP address. The feature, called Private Relay, will act as a kind of VPN. Private Relay will be part of a new service called iCloud Plus and will likely be available this fall.
The overall impact of Private Relay is likely to be minimal at first, because they only apply to the Apple universe.
Even so, it “definitely signals that IP-based geotargeting may not be available in the future,” according to Nishant Desai, director of technology and partnerships at Xaxis.
Regulators have tested how much IP addresses violate privacy and are already considered personal information in Europe. And under California’s user privacy law, their status as personal information is ambiguous at best.
Nevertheless, IP addresses have long been used as a proxy for location, part of device graphs for cross analytics, part of fingerprinting technology and partly as an identifier for targeting.
Here’s how IP targeting is used today and what may replace it for advertisers in the future.
Dynamic IP
To be clear, IP is an address in the form of a digital value assigned to Internet-connected devices that allow them to identify each other on the Internet. They are the cornerstone of how the Internet functions.
Internet service providers allocate IP addresses to their customers, which come in two varieties: static and dynamic.
Static IP addresses are usually used by companies and remain unchanged over time, a bit like a phone number or physical address. However, most users have dynamic IP addresses, which are cyclically updated over time, usually when the router is rebooted.
This is why B2B marketing can often succeed by targeting a specific company IP address or group of IP addresses, while advertising campaigns that target a general group of users can simply drain your money.
Similarly, corporate VPNs can render such targeting meaningless because it may appear that someone’s traffic is coming from New York City while the user is working remotely in suburban Philadelphia.
“IP addresses can help identify users, but you can’t use them in the same way as a deterministic device identifier,” according to Desai. “If you’re using an IP address to form device graphs or to improve the accuracy of fingerprinting, you should know that at some point the identifier is likely to change or wasn’t accurate to begin with.”
“Naive” uses of IP
One of the 2 main ways to use IP in advertising is to determine the approximate location of a device or group of devices and target them.
A company like Neustar, which has a large database of IP addresses, can help DSPs and other ad tech vendors search IP addresses to determine the geo associated with an IP address so it can be used for targeting by city, state/county or zip code. This data can be transmitted by the owner of the site or application in response to requests from the DSP.
But while IP addresses are commonly used as a location-based targeting mechanism, this practice is simplistic, “naive and fraught with problems,” according to Bosko Milekic, CTO and co-founder of the Optable data synchronization platform .
Beyond privacy concerns – IP addresses are a standard part of the header query along with data in the user-agent, which means there’s no way for users to agree or disagree with IP-based targeting and when IP data is corrupted – IP-based targeting can be highly ineffective.
“Let’s say you fly to New York City for a day (24 hours) and your device is registered as having visited the city – for the next three months, all you see are real estate listings in little-known Wisconsin neighborhoods,” said Ana Milicevic, principal and co-founder of digital consulting firm Sparrow Advisors. “It ruins the user experience because the ads are so obviously mis-personalized, but it’s also bad from the advertiser’s perspective because they’re draining money for nothing based on data that when you’re in New York City, won’t necessarily change again when you leave back in your city.”
“Users who have recently visited a place are still targeted as being there for about 30 days,” Ana Milicevic said.
IP & CTV
In television (CTV), IP targeting is very difficult to apply,” said Bosko Milekic of Optable.
For example, you can analyze the IP addresses found in network traffic to build up a picture of consumers and devices in certain regions over time. This requires determining when regions’ IP addresses change, which is nontrivial, Milekic said, because the frequency of IP address updates can vary by region, country and provider.
“However, if implemented effectively, a single IP address can be used to identify possible connections between devices in a common home region, which in turn can be used to improve the scale and depth of targeting and measurement in CTV,” he said.
The question is whether this type of analysis will remain viable – or even feasible – if other browser and platform vendors follow in Apple’s footsteps.
That uncertainty is partly responsible for the move to authentication when logging into streaming services. Even ad-supported services often require login to be less dependent on IP address.
“While fenced gardens will still have their ways of getting user data for targeting, removing IP addresses could be seen as a big loss for the open Internet, content sites and everything else,” Milicevic said. “Advertisers and the monetization ecosystem will be affected, but will users fight it? Probably not.”
Walled Garden is called a closed ecosystem in which all operations are controlled by the owner of the ecosystem. It is becoming popular due to the restrictions on the use of data, IDFA in the case of opt-out on iOS during an ATT request and in the future IP addresses.
Technically speaking, this means you have to create your own marketing stack (DMP / DSP / DCO) for first-party data, so you yourself can offer advertisers what other vendors offer (tracking people, identifying them, monitoring the effectiveness of advertising campaigns).
Moving on.
The slow movement toward getting rid of third-party cookies and the increased focus on IP addresses as a privacy issue indicates that the pendulum is swinging away from the extensive global identity sharing that began with the advent of RTB, Milekic said.
“What we’re seeing now is that it’s moving in a different direction, with a greater focus on enabling more direct communication and more controlled, authorized, customizable — and, where possible, limiting the amount of information exchanged.”
For example, location APIs developed by major platforms, including Google, Facebook and Apple, have begun to emerge as a way to add location information to an app. The API launches a browser or app to request permission to access a user’s location.
People can also allow certain apps and sites to determine their location using a combination of cellular, GPS, Wi-Fi and Bluetooth data. Asking for consent to transmit data means advertisers will have fewer people whose location they can pinpoint, but it won’t be impossible to do so.
But it really only works on an individual level.
Targeting specific regions is another problem, and it will remain a serious problem in terms of possible solutions, especially in the online television (CTV) environment, where shared viewing for multiple people is the norm.
For example, parents may not want a company to collect data, Decai said, about their children, but there’s no easy way to say, “Use this data from the data profile, but don’t use this data specifically.”
In the absence of an effective mechanism for managing region-specific permissions, advertisers, publishers and technology providers need to be as transparent as possible, Decai said.
“People just want to know what data companies are collecting about them and how it’s being used – whether it’s an IP address or something else,” he said.
